bisecting fixing commit since f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a building syzkaller on 816e0689d7d9d8321f8bf360740f0e516aee15ca testing commit f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a with gcc (GCC) 8.1.0 kernel signature: 2c25c6caf246ae22978f1955134d4fbf4ddc92dd4fc8bac5b4a018ad2139e042 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt testing current HEAD c110fed0e606ff922d5cad8ab74ba9410ca41694 testing commit c110fed0e606ff922d5cad8ab74ba9410ca41694 with gcc (GCC) 8.1.0 kernel signature: 9ad89448ef7bfbdde1acc5c1131294a6e2fa9a9fb393892f005cabbe607cae2d all runs: OK # git bisect start c110fed0e606ff922d5cad8ab74ba9410ca41694 f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a Bisecting: 1059 revisions left to test after this (roughly 10 steps) [5579d7502ff6374d0953691de5bca353e1ba6b30] x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels testing commit 5579d7502ff6374d0953691de5bca353e1ba6b30 with gcc (GCC) 8.1.0 kernel signature: 872ebd7bf67577c6f3660ee565288be8b24045113a1d34cd4b2d1796da5aa2d6 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good 5579d7502ff6374d0953691de5bca353e1ba6b30 Bisecting: 529 revisions left to test after this (roughly 9 steps) [ba54b13c835609b3976714d3dde010c57d0fe23e] cifs: fix potential use-after-free in cifs_echo_request() testing commit ba54b13c835609b3976714d3dde010c57d0fe23e with gcc (GCC) 8.1.0 kernel signature: 61435465e4df176eca8feefd9f5920db8f549c87606f1658cbd912b38dfa618d all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good ba54b13c835609b3976714d3dde010c57d0fe23e Bisecting: 264 revisions left to test after this (roughly 8 steps) [531d30493ddb26db900b666dd85b93dd3308b9b0] clk: ti: Fix memleak in ti_fapll_synth_setup testing commit 531d30493ddb26db900b666dd85b93dd3308b9b0 with gcc (GCC) 8.1.0 kernel signature: 2bd7cc1c0a72e75cc2d7eeba57f7817bb00382a57c9e4e152c2a9b9042a8b9b6 all runs: OK # git bisect bad 531d30493ddb26db900b666dd85b93dd3308b9b0 Bisecting: 132 revisions left to test after this (roughly 7 steps) [ecc3960efd13003636238fe877f272f7cadd1707] ARM: p2v: fix handling of LPAE translation in BE mode testing commit ecc3960efd13003636238fe877f272f7cadd1707 with gcc (GCC) 8.1.0 kernel signature: 989091fffcc799ff160ab8aca91d3025b15e17a20054a62283c2620eb553b467 all runs: OK # git bisect bad ecc3960efd13003636238fe877f272f7cadd1707 Bisecting: 65 revisions left to test after this (roughly 6 steps) [1b4ea92e45841e41b20cb96d55a645e7fbb5b82c] ALSA: usb-audio: Fix control 'access overflow' errors from chmap testing commit 1b4ea92e45841e41b20cb96d55a645e7fbb5b82c with gcc (GCC) 8.1.0 kernel signature: 16837a712725dc956d3bf6582ec76240a304176bd1b07686bc7cf1171437c8a1 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good 1b4ea92e45841e41b20cb96d55a645e7fbb5b82c Bisecting: 32 revisions left to test after this (roughly 5 steps) [fe72ad02f8ab634b712a16de8d9c6bd59ee00228] scsi: mpt3sas: Increase IOCInit request timeout to 30s testing commit fe72ad02f8ab634b712a16de8d9c6bd59ee00228 with gcc (GCC) 8.1.0 kernel signature: 888ebad34af34e18dea5d33c28cc7af3e8507a796ed6b7ab4cc6f9dc69857dec all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good fe72ad02f8ab634b712a16de8d9c6bd59ee00228 Bisecting: 16 revisions left to test after this (roughly 4 steps) [61490c481c61ff230da5f6042f353c6c0db0bc0c] Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() testing commit 61490c481c61ff230da5f6042f353c6c0db0bc0c with gcc (GCC) 8.1.0 kernel signature: eafca0542879720d296f0f3a4b5a459a16ee9ae1393babe31f62a9feed94dbca all runs: OK # git bisect bad 61490c481c61ff230da5f6042f353c6c0db0bc0c Bisecting: 7 revisions left to test after this (roughly 3 steps) [d079263b2ee54eed7534d07f97f32dd17eebc2d7] usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul testing commit d079263b2ee54eed7534d07f97f32dd17eebc2d7 with gcc (GCC) 8.1.0 kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good d079263b2ee54eed7534d07f97f32dd17eebc2d7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [c9f589923f03a15402ea1e691e76897be65bb564] coresight: tmc-etr: Check if page is valid before dma_map_page() testing commit c9f589923f03a15402ea1e691e76897be65bb564 with gcc (GCC) 8.1.0 kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good c9f589923f03a15402ea1e691e76897be65bb564 Bisecting: 1 revision left to test after this (roughly 1 step) [145b35d22ee296cd19d17333373ca56d206e2848] HID: i2c-hid: add Vero K147 to descriptor override testing commit 145b35d22ee296cd19d17333373ca56d206e2848 with gcc (GCC) 8.1.0 kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good 145b35d22ee296cd19d17333373ca56d206e2848 Bisecting: 0 revisions left to test after this (roughly 0 steps) [7a3c3a1c67e00942ae4890281b5b56026650bed8] serial_core: Check for port state when tty is in error state testing commit 7a3c3a1c67e00942ae4890281b5b56026650bed8 with gcc (GCC) 8.1.0 kernel signature: 03dfee89330b00fbd391364decd9f5afa02a2356ac886f8542fe1007707736a8 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt # git bisect good 7a3c3a1c67e00942ae4890281b5b56026650bed8 61490c481c61ff230da5f6042f353c6c0db0bc0c is the first bad commit commit 61490c481c61ff230da5f6042f353c6c0db0bc0c Author: Peilin Ye Date: Wed Sep 9 03:17:00 2020 -0400 Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream. `num_reports` is not being properly checked. A malformed event packet with a large `num_reports` number makes hci_le_direct_adv_report_evt() read out of bounds. Fix it. Cc: stable@vger.kernel.org Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events") Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01 Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_event.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) culprit signature: eafca0542879720d296f0f3a4b5a459a16ee9ae1393babe31f62a9feed94dbca parent signature: 03dfee89330b00fbd391364decd9f5afa02a2356ac886f8542fe1007707736a8 revisions tested: 13, total time: 2h55m42.199616588s (build: 1h55m35.034236336s, test: 58m54.33522871s) first good commit: 61490c481c61ff230da5f6042f353c6c0db0bc0c Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com" "yepeilin.cs@gmail.com"] recipients (cc): []